Journal of Hardware and Systems Security https://doi.org/10.1007/s41635-018-0050-5

Hardware Security Implications of Reliability, Remanence, and Recovery in Embedded Memory

Sergei Skorobogatov1

Received: 9 July 2018 /Accepted: 27 September 2018 # The Author(s) 2018

Abstract Secure semiconductor devices usually destroy key material on tamper detection. However, remanence effect in SRAM and Flash/EEPROM makes secure erasure process more challenging. On the other hand, of the embedded memory is essential to mitigate fault attacks and Trojan . issues could influence the reliability of embedded systems. Some examples of such issues in industrial and automotive applications are presented. When it comes to the security of semiconductor devices, both and data retention issues could lead to possible by an attacker. This paper introduces a new power glitching technique that reduces the data remanence time in embedded SRAM from seconds to microseconds at almost no cost. This would definitely help in designing systems with better secret key guarding. Data remanence in non- could be influenced in the same way. The effect of data remanence and data retention on hardware security is discussed and possible countermeasures are suggested. This should raise awareness among the designers of secure embedded systems.

Keywords Data remanence . Data retention . SRAM . EEPROM . Flash . Glitching . Hardware security . PUF . PRNG

1 Introduction industrial equipment, etc. It seems that a serious reliability issue was overlooked, and we might see more systems and in the form of static RAM (SRAM) devices starting to behave unpredictably or stop working. If it was introduced in the 1960s. It was later found to have data is a toaster or microwave oven, you can cope, but what about remanence problems similar to magnetic media with reliable old electronics equipment used in cars, aircrafts, and industrial data deletion [1–4]. Reprogrammable non-volatile memory infrastructure? Previous research on car systems showed how (NVM) was first introduced as EEPROM in the late 1970s the malfunction of certain car modules could pose a serious and then as Flash in the 1980s. They were also found to be threat to passengers [7, 8]. In this research, possible cause of affected by data remanence [5, 6]. As a result, there is possi- embedded system sporadic failures was found and this could bility that some information can still be extracted from previ- have very serious consequences. ously erased memory. This could create problems with secure In the 1980s, it was realised that low temperatures can devices where designers assumed that all sensitive informa- increase the data retention time of SRAM to many seconds tion is gone once the memory is erased. If the passwords or or even minutes. With the devices available at that time, it was secret keys can be extracted afterwards, it could affect confi- found that increased data retention started at about − 20 °C dentiality of the previously encrypted information. and increased as temperature fell further [2]. Some devices are Reliability of is paramount for modern embed- therefore designed with temperature sensors; any drop below ded systems. Many people have come across situations when − 20 °C is treated as a tampering event and results in immedi- some microcontroller-based systems started behaving odd or ate memory zeroisation [9, 10]. The experiments described in stopped working. This might be home appliances, cars, this paper are set to measure the data remanence in modern microcontrollers to see if the low temperature data remanence still exists in embedded devices. * Sergei Skorobogatov Usually, the data remanence problem is tackled by wrap- [email protected] ping the device into tamper protection enclosure with temper- 1 Department of and Technology, University of ature sensors to prevent freezing and tamper sensors to detect Cambridge, Cambridge, UK intrusion [9–11]. This gives enough time to safely wipe secret J Hardw Syst Secur key off the memory contents. However, designing a device 2.1 Data Remanence with embedded SRAM having a low data remanence comes at a cost. This often requires modifying the SRAM cells to in- Security engineers are interested in the period of time for corporate an additional destruction signal [12]. On practice, which an SRAM device will retain data once the power has this means that developers have very narrow choice of been removed. This is because many products do crypto- microcontrollers and system-on-chip (SoC) devices with such graphic and other security-related computations using secret capability. For example, Maxim Integrated (former Dallas keys or other variables that the equipment’soperatormustnot Semiconductor) offers secure microcontroller DS5250 with be able to read out or alter. The usual solution is for the secret two self-destruct inputs which on activation wipe off the data to be kept in volatile memory inside a tamper-sensing memory contents within microseconds [13]. Data remanence enclosure. On detection of a tampering event, the volatile in NVM is usually defeated by several cycles of erasing and memory chips are powered down or even shorted to ground. overwriting operations [6]. However, this cannot be accom- If the data retention time exceeds the time required by an plished in a short time especially for devices with a large opponent to open the device and power up the memory, then memory size. the protection mechanisms can be defeated. Chip manufacturers do not publish information about On power up, the symmetric SRAM cells are tend to go remanence effects in their chips. Of course, a developer more likely into one of the states 0 or 1. Each chip has unique can run data remanence tests on a selected batch of and uncontrollable biases for each that depends suitable chips. But this would take time and add cost on the intrinsic properties of semiconductor production. This to the design. The outcome of this research can be used helps to distinguish between each individual chip as well as to improve the protection of secure systems which use use this for each device having unique PUF key for encryp- SRAM as a source of randomness and unique keys. tion. However, data remanence imposes some limitations on First is used in pseudorandom number generators the time between each initialisation. Otherwise, either random (PRNG) employed in many cryptographic protocols. number will be predictable or the data used in PUF will always Others are used to derive unique keys from physical be the same making cloning much easier. unclonable functions (PUF). By reducing the data rem- Another important thing to keep in mind is that security anence time, the contents of the SRAM can be information could be restored even if part of the memory is refreshed more often and with higher randomness. The corrupted. If an attacker has correctly restored only 90% of the research presented in this paper demonstrates that 128-bit key, he will have to search through n!/(m!(n–m)!) = SRAM data remanence problem still exists in modern 128!/(115!13!) = 2.12 × 1017 ~258 possible keys. This is fea- microcontrollers and like before deteriorates at low tem- sible to calculate in an hour with a medium-size cluster of peratures. This paper offers a low-cost solution to computers or by using special hardware key cracker device. completely eliminate the data remanence problem at al- If only 80% of the information is known, an attacker will need most no cost. It also demonstrates that Flash/EEPROM 2.51 × 1026 ~288 searches. Having even 100 times the capa- can be affected in the same way, and this could have bility, the attacker will spend more than a million years influence on the security of embedded systems. searching for the key. To simplify data remanence time calcu- Data retention can affect reliability of automotive and in- lations, we assume that if 50% of information is lost, then the dustrial systems. The results of this research should be of key cannot be recovered anymore. considerable concern to the developers of secure devices. Unlike SRAM, which has only two stable logic states, This paper makes the following contributions: it demon- EPROM, EEPROM, and Flash cells store analogue values in strates that data remanence effect is present in embedded the form of a charge on the floating gate of a MOS transistor. SRAM; it suggests a solution to significantly reduce data rem- The floating-gate charge shifts the threshold voltage of the cell anence time; it reveals that negative power glitching affects transistor, and this is detected with a sense amplifier when the the security of some microcontrollers; it exposes security is- cell is read. sues related to short data retention time of embedded EEPROM. 2.2 Data Retention

Programmed floating-gate memories cannot store information 2 Background forever. Up until the late 1990s, these cells were not robust enough and usually held the charge for only 10–20 years. The Embedded systems are often based on microcontrollers— failure mechanisms of EEPROM and cells are small integrated circuits with SRAM, ROM, EEPROM, and well known. Various processes, such as field-assisted electron Flash on a single silicon die. Two opposite effects were eval- emission, de-trapping of electrons, and ionic contamination, uated in this paper—data remanence and data retention. cause the floating gate to lose its charge, and this increases at J Hardw Syst Secur higher temperatures [14]. Flash memory inherited similar data engineer, it would be natural to overlook the important param- retention problems associated with the nature of data storage eters omitted by the manufacturer. The consequences could be on a floating gate from the EEPROM. The failure rate doubles devastating especially for high-risk applications. every 10° [15]. Another failure mode in the very thin tunnel Memory technologies have significantly improved over the oxides used in Flash memories is programming disturb, where past 20 years. Most modern microcontrollers have guaranteed unselected erased cells adjacent to selected cells gain charge data retention time of over 40 years, but not all manufacturers when the selected cell is written. This is not enough to change specify the data retention parameters. Up until the mid-2000s, the cell threshold sufficiently to upset a normal read operation, the microcontrollers with only 10 years of guaranteed data but could cause problems to the data retention time. Typical retention time were still manufactured. If they ended up in guaranteed data retention time for EPROM, EEPROM, and critical systems, this could pose some serious problems. Flash memories is 10, 40, and 100 years respectively. Those Although the mechanisms associated with data retention are figures are usually referred to operating temperatures up to well known and investigated, this does not eliminate the 85 °C. When devices are operating at higher temperatures, chances of failures caused by configuration memory especial- like in automotive applications up to 125 °C, the data retention ly as this memory cannot be easily tested in some cases. time is likely to be reduced to just a few years. When it comes to the hardware security, data recovery be- There is a certain probability of distribution of weak cells comes the major concern. An attacker could potentially re- which pass the initial testing after fabrication but cannot hold verse engineer the embedded system by extracting all the in- as much charge as normal cells. This could be caused by formation from embedded memory. Mask ROM is usually the process variation during the fabrication, e.g. defect in material easiest target because the information is stored in the form of or contamination of masks or reagents. They could also be present or absent transistor. This in some cases could be di- introduced by partial failures in the array control logic rectly observed under optical microscope [19]. In other cases, resulting in lower write voltage or shorter write time. These selective etching or microprobing would help [20, 21]. Flash/ cells are likely to lose their charge and fail much faster espe- EEPROM would require more sophisticated methods as the cially during high-temperature operation [16]. information is stored in the form of electrical charge. That Failures of several embedded systems were investigated means that either atomic force microscope (AFM) [22]or during this research. One was a failure in SCADA (supervi- scanning electron microscope (SEM) [23] will be required. sory control and data acquisition) [17] controllers used in the SRAM extraction is the most challenging task, because any energy supply industry. Although company engineers were interruption of the power supply could result in . able to locate the cause of the system failure being the Also, the switching energy of the memory cell is several or- Motorola MC68HC11A1 microcontroller [18], they were un- ders of magnitude lower than in Flash/EEPROM. This makes able to figure out why the microcontroller fails after certain SRAM the most secure storage. However, the requirement for time. It turned out that although hardware engineers did learn having battery limits the areas of applications. the specification and avoided possible prob- lem, they were unable to predict that some other parameters could change during the device lifetime. These parameters are set at the chip factory after fabrication and testing, and in most 3 Experiments cases, end users have no need to change them. Similar failures were detected by car repair mechanics with engine control unit As targets for the SRAM experiments, the following stopping to work after 10–15 years or car keys ‘forgetting’ microcontrollers were selected: Freescale (former Motorola) their crypto keys. There are no research publications on this MC68HC908AZ60 [24] and MC68HC908AZ60A [25], because all those cars have past even extended warranty Texas Instruments MSP430F112 [26] and MSP430F427 period. [27]. These were common microcontrollers used in the In many chips, EEPROM and Flash cells could also be the 1990s and 2000s and fabricated with 0.9- to 0.35-μm process. part of configuration and security fuses. These fuses can con- Several samples of each type were tested to measure the var- trol the size of available SRAM, EEPROM, and Flash mem- iation of data remanence time between devices within the ory. In some microcontrollers, the configuration is user acces- same family. For the non-volatile memory experiments, the sible and even. In MC68HC11A1, the user can configure the following microcontrollers were selected: Microchip OPTION register and select whether the ROM, EEPROM, PIC16F873 [28], Atmel ATmega163 [29], and ATtiny12 and watchdog timer are enabled. If the ROM is disabled, the [30]. For data retention experiments, Motorola chip can only work with external memory. Usually, chip man- MC68HC11A1 and MC68HC11A8 [18] were selected as they ufacturers do not specify the data retention time for the chip were similar to the chips used in failed industrial boards. configuration fuses despite to most of them being based on Special test boards were built to efficiently communicate with standard EEPROM cells. Hence, for system hardware the devices and test their embedded SRAM and Flash/ J Hardw Syst Secur

EEPROM memory. The boards were connected to a PC with the device under test. The amplitude of the glitch was regulat- controlling software via RS-232 interface. ed on the test board using passive LCR low-pass filters. The same glitching experiments were repeated for the pro- 3.1 Data Remanence Experiments cess of secure erasure of Flash/EEPROM in Microchip and Atmel microcontrollers. Chip manufacturers claim that the In the first set of experiments, the chips were tested for SRAM process of chip erase is performed in a way that the informa- data remanence at room temperature (+ 20 °C), low tempera- tion from code and data memory is removed well before the tures down to − 30 °C, and high temperatures up to + 80 °C. security fuses are reset. The glitching could have effect on that For that each device was first initialised with data patterns in process, like it had on SRAM data remanence. The SRAM then powered down for different periods of time be- microcontrollers were programmed with a test pattern then fore powering it up and reading its memory contents. Both secured by setting their security fuses. The power glitches of Motorola and Texas Instruments microcontrollers have on- different durations and amplitudes were applied before chip monitor ROM which allows communication via RS- starting the chip erase operation. Then, after 100-ms time, 232 interface; hence, no special on-chip software is necessary the chip was powered down for 1 s before checking the state to access embedded SRAM. of its memory and fuses. Previous research revealed that grounding power supply line to the device can significantly reduce data remanence time 3.2 Data Retention Experiments [4]. Therefore, all used pins of the microcontroller were forced to GND at the start of measuring period. For temperature One experiment was carried out on a partially working old control, stacked Peltier elements with fan air cooling were optical microscope (Leitz Ergolux). The electronic board in- used. For temperature monitoring, a standard digital thermom- side its controller was behaving odd, thus sometimes moving eter was used with external thermocouple and 0.1 °C the stage and lenses unexpectedly. Inside the controller was a resolution. microprocessor-based board. The problem was rectified by The next set of experiments with SRAM was aimed at reading the 2764 EPROM IC at different voltages and then verifying the new idea of how data remanence is affected by reprogramming the same memory chip. Similar issues with power glitching. Instead of a smooth power down process on EPROM and EEPROM reliability were found in many old the VCC line (Fig. 1, blue trace), the switching was performed cars. Car repair garages have to deal with many old electronic with deliberate overshooting (orange trace). This was blocks in cars which failed after some loss of data. Refreshing achieved by designing a special power supply unit controlled the embedded memory inside microcontrollers solved the by a PC where the power supply voltage was sampled by problem in 90% cases. digital-to-analogue converter. The overshooting glitch was The final set of experiments was performed to measure data formed by an operational amplifier with capacitive load. retention time in Motorola MC68HC11Ax microcontrollers. Then, the signal was buffered to supply enough current to For that a UV light was used as an ageing source to establish

Fig. 1 Power down process on VCC line: blue—normal, orange—glitch J Hardw Syst Secur how the memory cells lose their charge and what effect this MSP430F112 and minutes for MC68HC908AZ60A at − has on the chip operation. To access the die, the sample of 30 °C. At higher temperature, the data remanence time is MC68HC11A1 chip was decapsulated with standard process reduced to milliseconds for MC68HC908AZ60A at + 80 °C. using fuming nitric acid [20]. The UV erasure experiments In the logarithmic scale of Fig. 4, the temperature dependency were aimed at speeding up the ageing process to observe of data remanence is almost linear. how the memory cells lose their charge and any correlation The effect of power glitching on the data remanence time with OPTION register. was very significant for all samples of tested microcontrollers. For all microcontrollers, the memory contents were complete- ly wiped off to a random state with as short as 5-μs glitch (Fig. 4 Results 1). Even for the MSP430F112 microcontroller which normal- ly has about 8-ms data remanence time at room temperature, 4.1 Data Remanence Results this is a thousand times improvement. While for MC68HC908AZ60A microcontroller with half a second data Data remanence results at room temperature for four remanence time, it is significantly better. At low temperatures, microcontrollers are presented in Fig. 2. One hundred percent the glitching helps with the same efficiency—the data rema- memory corruption stands for the outcome of a very long nence time reduced from several minutes to a few microsec- power down. The time coordinate is in logarithmic scale as onds. This effect is caused by a quick discharge of SRAM cell this helps to see the transition clearer. The older Motorola transistors into negatively biased power line. SRAM cell is microcontroller MC68HC908AZ60 has the longest data rem- formed by two inverters. Figure 5 shows the structure of a anence time, while the Texas Instrument microcontroller CMOS inverter. It consists of NMOS and PMOS transistors, MSP430F112 has the shortest time. Figure 3 shows distribu- but as a side effect, three diodes are formed by p-n junctions. tion of data remanence time between nine different samples of When negative voltage is applied to Vcc, the ‘out’ line is similar devices—three of MC68HC908AZ60, three of quickly discharged through the diode, thus forcing the MC68HC908AZ60A (mask 2J74Y), and three of SRAM cell to ‘forget’ its state. At the same time, the short MC68HC908AZ60A (mask 3K85K). As it can be observed, and controlled glitch pulse does not cause a latch-up effect. differences between data remanence time of samples from the Power glitching of EEPROM and Flash microcontrollers same batch could be larger than between average samples of was different from the SRAM. For all tested samples of different devices. Microchip PIC16F873, and Atmel ATmega163 and At low temperature, the data remanence time is expectedly ATtiny12, the glitching caused data retention of the main increased for both Motorola (Fig. 4) and Texas Instruments EEPROM and Flash memory to increase. At the same time, microcontrollers. The time was counted to the moment when the security fuses were unaffected. This resulted in the security 50% of cells lost their state. The data remanence time is ac- of those microcontrollers being circumvented once the celerated at temperatures below 0 °C. This leads to seconds for glitching pulse was large enough. Because the chip erase

Fig. 2 Data remanence effect in 100 different microcontrollers 90

80

70

60

50

40

30

Memory corruption, % 20

10

0 0 0 0 0 0 0 0 0 0 0 1 3 5 7 9 12 16 20 50 0 5 0 0 5 0 5 0 00 0 00 1 1 2 25 3 3 4 4 500 6 700 8 0 2 1 1 1400 Time, ms

F112 430F427 908AZ60A 908AZ60 J Hardw Syst Secur

Fig. 3 Data remanence difference between batches

process is internally timed, it is not possible to erase the mem- programming the memory. Writing 0’s into the memory ory forever; the control circuit shuts down the erasure process causes the cells’ transistors to store the charge. When the after about 20 ms. charge is removed with UV light, the memory cell is read as ‘1’ or erased state. One of the EEPROM blocks has extra row 4.2 Data Retention Results line and it turned out that the part of it is used for storing the OPTION register. The additional EEPROM cells look exactly Experiments were carried out on decapsulated Motorola the same as the normal EEPROM memory cells. Therefore, MC68HC11A1 microcontroller for the purpose of finding their behaviour and parameters should remain the same. In out if the data retention time of the configuration fuses is the order to compare the data retention time of those special cells same as for the on-chip EEPROM. The chip manufacturer with normal cells, the dependency of the data retention from specifies EEPROM data retention time as 10 years; however, the UV exposure time was measured. The time when half of it does not specify that time for the EEPROM bits of OPTION the cells have lost their charge was 45 min and was identical register. for both areas. This suggests that the data retention parameters Close look at the die revealed all important areas in the of the EEPROM could be used to estimate the guaranteed embedded EEPROM. Partial reverse engineering of the mem- retention time for the OPTION register. ory physical map was carried out using semi-invasive The consequence of unintentional change of the OPTION methods [19]. For that different parts of the EEPROM array register contents could be devastating. This is because this on the decapsulated sample were exposed to UV light after register controls the presence of ROM and EEPROM in the

Fig. 4 Temperature dependence 1000 of data remanence time in HC908AZ60A 100

10

1 -40 -20 0 20 40 60 80 100

0.1 Data remanence, s

0.01

0.001 Temperature, C J Hardw Syst Secur

semiconductor devices with embedded EEPROM and Flash memory could pose serious reliability issues by starting malfunctioning after 10–20 years. For some devices, the sys- tem design engineers could be completely unaware about pos- sible problems because the chip manufacturer might not spec- ify parameters of the EEPROM cells used for internal factory debug and testing purposes. However, when those cells Fig. 5 Structure of CMOS inverter change their state through normal ageing process, the device operation will be affected. Although ageing of memory map. While the EEPROM corruption could be miti- microcontrollers is a concern for industry, it was mainly in- gated using error correction techniques, sudden change of the vestigated for space applications rather than automotive and memory layout will likely cause the system to crash. industrial ones. Also, none of those investigations were aimed at security aspects but rather on software integrity, data stor- age, and limited number of reprogramming cycles for Flash/ 5 Conclusion EEPROM storage. The danger of widely used microcontroller-based systems The research presented in this paper showed that data rema- going into sporadic failures is hard to overestimate. Electronic nence still exists in modern microcontrollers. For some de- modules in old cars sometime start to play up; however, this is vices, the effect could be very serious and allow keeping the often being treated as normal ageing failure; hence, the owner secret information and keys for several seconds at room tem- or insurance company pays the bill. However, the underlying perature. At low temperature down to − 30 °C, it could in- problem is much deeper. The outcome and cause of the prob- crease to minutes. Previous solutions were either too expen- lem could be devastating for other industries as it lies at inter- sive (special SRAM cells) or bulky (tamper enclosure with section between hardware, software, reliability, and security. temperature sensors). Heating up the chip might help a bit, For most chips, manufacturers guarantee at least 40 years of but might not be suitable due to excessive heat and bulky data retention time. However, if chips are operating at higher design. This paper introduces a solution to that problem which temperatures, like in automotive applications, their actual data reduces the data remanence time to a few microseconds, thus retention time could be much shorter. completely eliminating the effect. The cost of the proposed There are several ways how the retention time of the special solution is very low as it is completely non-invasive. The cells can be improved. For example, multiple cells can be used method of significant reduction of data remanence time can to reduce the probability of a failure caused by a single cell. be used for SRAM-based PUF and PRNG devices in order to Another way is to design special cells which lose charge speed up the process of key generation. slower than normal ones. Also, the devices should be better Data remanence time varies between different families of tested for the use in critical applications. Latest SoCs and microcontrollers and between devices within each family be- microcontrollers have extended lifetime of embedded NVM. cause of variation between transistors. Therefore, secure sys- However, emerging memory technologies could have reliabil- tem designers should test wide range of samples to ensure ity issues. More robust testing will be required to make sure their robustness against data remanence at wide range of con- that automotive parts will still be fully functional after 20 years ditions for all samples. in adverse conditions. Data remanence in non-volatile memory could be influ- This paper analysed mid-range 8-bit and 16-bit enced as well. However, in that case, it could have severe microcontrollers built with 0.9- to 0.25-μm process. It would effect on security. It might be possible to increase data reten- be beneficial to expand it with measurements applied to higher tion time of the main Flash/EEPROM memory in a way that it density modern devices. Those devices are likely to have low- would not lose the data fast enough during mass erase used for er data remanence time due to higher leakage in SRAM cells. secure reprogramming. As a result, the protection fuse will be However, lower operating voltage could compensate this, disabled earlier than expected, thus leaving the on-chip mem- making them still vulnerable to data remanence. ory contents intact. This would compromise the security of the There are other implications from undocumented features chip. Modern microcontrollers should be properly tested by present in many chips and mainly used for factory failure the manufacturers to avoid such situations where protection analysis and debugging purposes. In this case, the hardware fuse is erased earlier than the main memory as a result of design engineers will be unaware of possible problems and power glitching. outcomes unless they could afford to scan the device for un- Interconnection between data retention and data remanence documented features [31]. was discussed with real examples in automotive and industrial More robust testing and evaluation must be performed on systems. This research has demonstrated that old semiconductor devices going into sensitive applications with J Hardw Syst Secur high-risk factors like in car, aviation, and medical industries as 12. Kai Y, Xuecheng Z, Guoyi Y, Weixu W (2009) Security strategy of well as critical infrastructure. For those systems which remain powered-off SRAM for resisting physical attack to data remanence. J Semicond 30:095010 in the field, it would be beneficial to carry out risk assessment 13. DS5250 high-speed secure microcontroller. http://www. and reprogram or upgrade the hardware. maximintegrated.com/en/products/digital/microcontrollers/ DS5250.html 14. Aritome S, Shirota R, Hemink G, Endoh T, Masuoka F (1993) Open Access This article is distributed under the terms of the Creative Reliability issues of flash memory cells. Proc IEEE 81(5):776–788 Commons Attribution 4.0 International License (http:// 15. Lecuyer P (2002) Reliability prediction for microcontrollers with creativecommons.org/licenses/by/4.0/), which permits unrestricted use, embedded EEPROM. ESCCON 2002, pp 67–71 distribution, and reproduction in any medium, provided you give appro- 16. Chen Yet al (2003) EEPROM bit failure investigation. 6th Military priate credit to the original author(s) and the source, provide a link to the and Aerospace Programmable Logic Devices International Creative Commons license, and indicate if changes were made. Conference 17. SCADA. http://en.wikipedia.org/wiki/SCADA 18. MC68HC11A8 HCMOS single-chip microcontroller, Freescale Semiconductor Inc. http://www.freescale.com/files/ References microcontrollers/doc/data_sheet/MC68HC11A8.pdf 19. Skorobogatov S (2005) Semi-invasive attacks – a new approach to 1. A Guide to Understanding Data Remanence in Automated hardware security analysis. UCAM-CL-TR-630 Information Systems. Version 2, September 1991, NSA/NCSC 20. Kömmerling O, Kuhn MG (1999) Design principles for tamper- Rainbow Series resistant smartcard processors. USENIX Workshop on SC 2. Gutmann P Secure deletion of data from magnetic and solid-state Technology memory. 6th USENIX Security Symposium, July 1996, pp 77–89 21. Skorobogatov S (2017) How microprobing can attack encrypted 3. Anderson RJ, Kuhn MG (1996) Tamper resistance – a cautionary memory. Euromicro Conference on Digital System Design, AHSA note. The Second USENIX Workshop on e-Commerce 22. De Nardi C et al (2005) Oxide charge measurements in EEPROM – 4. Skorobogatov S (2002) Low temperature data remanence in static devices. Microelectron Reliab 45:1514 1519 RAM. Technical Report UCAM-CL-TR-536. University of 23. Courbon F, Skorobogatov S, Woods C (2017) Reverse engineering Cambridge, Computer Laboratory, Cambridge Flash EEPROM memories using scanning electron microscopy. CARDIS 2016, LNCS, vol 10146. Springer, Berlin 5. Gutmann P Data remanence in semiconductor devices. 10th 24. MC68HC908AZ60 HCMOS microcontroller unit, Freescale USENIX Security Symposium, Washington, D.C., August 13–17, Semiconductor Inc. http://www.freescale.com/files/ 2001 microcontrollers/doc/data_sheet/MC68HC908AZ60.pdf 6. Skorobogatov S (2005) Data remanence in flash memory devices. 25. MC68HC908AZ60A microcontroller, Freescale Semiconductor CHES 2005, LNCS 3659. Springer-Verlag, Berlin, pp 339–353 Inc. http://cache.freescale.com/files/microcontrollers/doc/data_ 7. Koscher K et al (2010) Experimental security analysis of a modern sheet/MC68HC908AZ60A.pdf automobile. IEEE Symposium on Security and Privacy, Oakland 26. MSP430F112 ultra-low-power microcontroller, Texas Instruments. 8. Checkoway S et al (2011) Comprehensive experimental analyses of http://www.ti.com/product/msp430f112 – automotive attack surfaces. USENIX Security, 10 12 27. MSP430F427 ultra-low-power microcontroller, Texas Instruments. 9. Weingart SH (1987) Physical security for the mABYSS system. http://www.ti.com/product/msp430f427 IEEE Computer Society Conference on Security and Privacy, pp 28. PIC16F87X data sheet. 28/40-pin 8-bit CMOS FLASH 52–58 microcontrollers, Microchip 10. Smith SW, Weingart S (1999) Building a high-performance, pro- 29. Atmega163, Atmel. http://www.atmel.com/devices/atmega163. grammable secure coprocessor. Comput Netw 31:831–860 aspx6 11. Steve H (1965) Weingart. Physical security devices for computer 30. Attiny12, Atmel. http://www.atmel.com/devices/attiny12.aspx subsystems: a survey of attacks and defenses. CHES 2000. 31. Skorobogatov S, Woods C Breakthrough silicon scanning discovers Springer-Verlag LNCS, Berlin, pp 302–317 backdoor in military chip. CHES 2012, LNCS 7428, pp 23–40